Text Encryption Tool

Text Encryption Tool

Encrypt and decrypt text with AES-256 encryption. Secure message encryption with password protection. Free online text encryptor/decryptor

Encrypting a string with AES sounds simple until you learn the four ways to do it wrong: ECB mode (catastrophically broken patterns), reused IVs (key recovery), no authentication (ciphertext malleability), and weak key derivation (offline brute force). This tool uses AES-256-GCM with a per-message random IV and PBKDF2-derived keys from your passphrase — the same construction TLS 1.3 uses. Encryption happens in your browser via Web Crypto; the passphrase and plaintext never leave the tab.

What the tool actually does, end to end

  • Generate a random 16-byte salt (per encryption).
  • Derive a 256-bit key with PBKDF2-HMAC-SHA256 from passphrase + salt, 600,000 iterations (OWASP 2023 recommendation for SHA256).
  • Generate a random 12-byte IV (per encryption — AES-GCM IV is 96 bits).
  • Encrypt plaintext with AES-256-GCM, producing ciphertext + 16-byte authentication tag.
  • Concatenate salt + IV + ciphertext + tag, base64-encode, output.

To decrypt, the receiver parses the salt/IV out of the input, re-derives the key from the same passphrase, and runs GCM decrypt. If the authentication tag does not verify, decryption fails — no partial output, no "looks like garbage" fallback. This means an attacker cannot tamper with ciphertext undetected.

Working example

Input

Plaintext: "Meet at the corner at 3pm"
Passphrase: correct-horse-battery-staple-42

Output

Salt:    Vk2Z7sQ8aP1nLqXrR3oWzA==     (16 bytes, base64)
IV:      uK1xN5cTrQqV8bMd               (12 bytes)
Cipher:  m2k9NqFp...                    (encrypted body)
Auth tag: 0xH7tR9z...                    (16 bytes, prevents tampering)

Final output (base64, all concatenated):
  Vk2Z7sQ8aP1nLqXrR3oWzAuK1xN5cTrQqV8bMdm2k9NqFp0xH7tR9z==

Decryption with the wrong passphrase fails with "authentication failed" — not "wrong plaintext".

Each encryption of the same plaintext produces different output because the salt and IV are random. This is the desired behavior — identical ciphertext for identical plaintext would leak that the plaintexts are the same.

Why each piece is there

  • AES-256 — symmetric block cipher, NIST-approved, fast on modern CPUs with AES-NI instructions (almost all x86 since 2011, ARM since v8.2-A). 256-bit key is overkill for foreseeable computing but standard practice.
  • GCM mode — authenticated encryption. Produces a 16-byte tag that proves the ciphertext was not modified. Without authentication, an attacker can flip bits in ciphertext to corrupt plaintext predictably (CBC + no MAC = padding oracle attacks).
  • Random IV per encryption — required by GCM. Reusing an IV with the same key catastrophically breaks the cipher (key recovery becomes trivial). 12-byte random IV gives 96 bits of randomness, safe up to ~2^32 encryptions per key.
  • PBKDF2 with 600k iterations — slow on purpose. A 12-character passphrase has roughly 60-70 bits of entropy; PBKDF2 turns each guess into 600k SHA256 operations (~milliseconds on a CPU, hours on a GPU per million guesses). Bcrypt or Argon2id would be slightly better; PBKDF2 is what Web Crypto natively supports without polyfills.
  • Salt per encryption — prevents pre-computed rainbow tables. Even if 10 million users encrypt "Hello" with passphrase "password", each ciphertext is unique because each salt is unique.

When to reach for this tool

  • You want to send a one-off secret to a friend over a channel that is convenient but not secure — Slack DM, email, SMS. Encrypt with a passphrase you communicate out-of-band.
  • You are testing your own application's decryption logic against known ciphertext.
  • You want a "lockbox" for a small note (recovery codes, off-the-grid contact info) that you can paste anywhere as ciphertext and decrypt later with a passphrase you remember.
  • You are explaining authenticated encryption to a junior engineer and want a tangible demo of "wrong passphrase fails, modified ciphertext fails".

What this tool will not do

  • It will not encrypt large files in the browser efficiently. Web Crypto AES-GCM has a 64GB-per-operation limit and reads the whole payload into memory. For multi-gigabyte files, use age, gpg, or openssl on the command line.
  • It will not protect against malware on your device. If your machine is compromised, the passphrase you type is captured before encryption. The tool secures data in transit / at rest, not against endpoint compromise.
  • It will not give you a key-exchange protocol. If you and the recipient cannot agree on a passphrase securely beforehand, you need public-key crypto (age, GPG, Signal) instead. Passphrase exchange over the same channel as ciphertext defeats the purpose.

Encryption runs locally via Web Crypto. Plaintext, passphrase, and intermediate values are never transmitted. After encryption, the ciphertext is safe to paste anywhere; the passphrase remains the entire security.

Frequently asked questions

Is AES-256 quantum-resistant?

Partially. Grover's algorithm on a sufficiently large quantum computer would halve the effective key strength — AES-256 would have ~128 bits of post-quantum security, still well beyond brute-force. AES-128 would drop to ~64 bits, which is breakable. Use AES-256 for any data you want safe for 30+ years.

How strong should my passphrase be?

For low-value secrets (a Slack message), 10+ random characters or 4+ random Diceware words is fine. For high-value secrets, 6+ Diceware words (~77 bits of entropy) or a 16+ character random string. Memorable phrases ("MyDogIsFluffy2024!") are far weaker than they look — attackers know the patterns.

Can I decrypt without the passphrase?

No. That is the whole point. Without the passphrase, decryption requires brute-forcing PBKDF2 — at 600k iterations, a high-end GPU does roughly 1 million guesses per second. A 12-character random passphrase has ~78 bits of entropy = 2^78 guesses = longer than the age of the universe.

What is the difference between encryption and hashing?

Encryption is reversible with a key; hashing is one-way. AES encrypts plaintext to ciphertext you can decrypt back. SHA-256 hashes data to a digest you cannot reverse. Use encryption for confidentiality (you want to read it later); use hashing for integrity (you want to verify it has not changed).

Should I use this for storing passwords?

No. Passwords should be hashed (Argon2id, scrypt, bcrypt) for storage, not encrypted. Encryption implies decryption, which means anyone with the decryption key can read all passwords. Hashing means even the operator cannot read them — only verify a presented password matches.

Why does the ciphertext look different every time I encrypt the same text?

Because the salt and IV are random each time. This is intentional: identical ciphertext for identical plaintext leaks information about plaintext patterns. The randomization is what makes the encryption semantically secure (CPA-secure).

Related tools

Hash Generator

Generate MD5, SHA-1, SHA-256, SHA-512 hashes from text or files. Verify file checksums. Free online hash calculator and checksum generator

Password Generator

Generate strong random passwords with letters, numbers, symbols. Customizable length and complexity. Free secure password generator online

Passphrase Generator

Generate secure passphrases using Diceware and EFF wordlists. Create memorable yet strong passwords. Free online passphrase maker

Encryption Playground

Learn how AES and RSA encryption works step by step. Visualize encryption process, key generation, and cipher operations. Interactive cryptography tutorial

File Checksum

Calculate MD5, SHA-1, SHA-256, SHA-512 checksums for files. Verify file integrity and compare hashes. Free online file hash calculator

Published · Updated · E-Utils editorial team